Federal government and private industry researchers warn of custom trojans and worms.

Share this story

As North Korea’s government prepares for a possible summit with US President Donald Trump later this month, hackers working on behalf of the isolated country have continued a volley of network intrusions that target media, aerospace, financial, and critical-infrastructure companies in the US, South Korea, and other nations, researchers in private industry and the federal government said this week.

On Tuesday, the US Department of Homeland Security and the FBI identified two pieces of malware North Korea is actively using against multiple organizations throughout the world, including in the US. The malware, according to a joint technical alert the two agencies published, is being used by participants in Hidden Cobra, which is the name US intelligence officials have given to North Korea’s hacking operation. Tuesday’s alert said the malware has likely been in use since at least 2009.

The first piece of malware is a fully functional remote-access trojan called Joanap. It typically infects computers as a payload that is delivered by another piece of Hidden Cobra malware, and targets unknowingly download it when they visit a compromised website. The two-stage RAT lets its remote operators steal data, install new programs, and act as a proxy for Internet traffic to disguise attacks on new targets.

The second piece of malware is a worm that spreads across SMB networks by guessing weak passwords. Known as Brambul, the self-replicating malware is usually delivered through a dropper. Once it takes hold, it uses email to send the operators information about each infected system, including its IP address, host name, username, and password. It supports a variety of capabilities, including accepting remote commands and executing a “suicide” script that destroys infected devices.

“A successful network intrusion can have severe impacts, particularly if the compromise becomes public,” Tuesday’s alert stated. It said effects of infection include:

temporary or permanent loss of sensitive or proprietary information,

disruption to regular operations,

financial losses incurred to restore systems and files, and

potential harm to an organization’s reputation.

NavRAT targets South Korea

On Thursday, members of Cisco’s Talos security team said they recently discovered a new email campaign that attempts to infect South Korean computers with a trojan dubbed NavRAT. The spear phishing messages reference the possible US-North Korean summit and attach a document that exploits a vulnerability in the Hangul Word Processor, which is used in South Korea. Talos said it had medium confidence the emails are the work of a North Korean hacking group they call Group123.

Like Joanap, NavRAT uses email to communicate with attackers. As the Talos researchers investigated the trojan, they found that the email account it used had been locked by the provider, presumably because NavRAT had been executed from so many countries. The researchers said they suspect the trojan has been in use since 2016 and has been used sparingly. Both Tuesday's alert and Cisco's report from Thursday contain technical details IT and security personnel can use to determine if their computers or networks have been targeted. The reports come two weeks after researchers said a team of North Korean hackers used malicious apps hosted in the official Google Play market to target defectors.

Further Reading

As Ars pointed out within previous coverage of continued North Korean hacking activities, it’s not particularly surprising or unusual for any country to continue or even increase its espionage work even as it makes public overtures for peace. High-stakes negotiations only increase the need for intelligence.